学习acegi-security
这几天对acegi研究了一下,现对这几天的研究做个总结。
网上资料对于acegi在web上的应用非常多,所以特意不从web入手,而从一般的java方法入手。
acegi的基本原理就是利用拦截器,对请求进行拦截,在拦截前和拦截后做些安全验证,以达到安全目的。所谓安全,一般包括两个部分,一为认证(authentication),二为授权(authorization)。
1,拦截器体系
acegi中拦截器为分为三类:
(1)filter拦截器(FilterSecurityInterceptor),主要对web应用进行拦截,即利用servlet的filter进行拦截。
(2)method拦截器,分为spring的method拦截器(MethodSecurityInterceptor)和aspectj的method拦截器(AspectJSecurityInterceptor)。
Java代码
public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
MessageSourceAware {
private AccessDecisionManager accessDecisionManager;
private AfterInvocationManager afterInvocationManager;
private ApplicationEventPublisher eventPublisher;
private AuthenticationManager authenticationManager;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private RunAsManager runAsManager = new NullRunAsManager();
private boolean alwaysReauthenticate = false;
private boolean rejectPublicInvocations = false;
private boolean validateConfigAttributes = true;
.........
protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
............
SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
............
if (afterInvocationManager != null) {
returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
}
............
}
protected InterceptorStatusToken beforeInvocation(Object object) {
............
authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
............
this.accessDecisionManager.decide(authenticated, object, attr);
............
Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr);
if (runAs == null) {
............
return new InterceptorStatusToken(authenticated, false, attr, object);
} else {
............
SecurityContextHolder.getContext().setAuthentication(runAs);
return new InterceptorStatusToken(authenticated, true, attr, object);
}
............
}
}
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
public void invoke(FilterInvocation fi) throws IOException, ServletException {
if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
&& observeOncePerRequest) {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} else {
if (fi.getRequest() != null) {
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
}
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
}
............
}
public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(mi);
try {
result = mi.proceed();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
public class AspectJSecurityInterceptor extends AbstractSecurityInterceptor {
public Object invoke(JoinPoint jp, AspectJCallback advisorProceed) {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(jp);
try {
result = advisorProceed.proceedWithObject();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
MessageSourceAware {
private AccessDecisionManager accessDecisionManager;
private AfterInvocationManager afterInvocationManager;
private ApplicationEventPublisher eventPublisher;
private AuthenticationManager authenticationManager;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private RunAsManager runAsManager = new NullRunAsManager();
private boolean alwaysReauthenticate = false;
private boolean rejectPublicInvocations = false;
private boolean validateConfigAttributes = true;
.........
protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
............
SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
............
if (afterInvocationManager != null) {
returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
}
............
}
protected InterceptorStatusToken beforeInvocation(Object object) {
............
authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
............
this.accessDecisionManager.decide(authenticated, object, attr);
............
Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr);
if (runAs == null) {
............
return new InterceptorStatusToken(authenticated, false, attr, object);
} else {
............
SecurityContextHolder.getContext().setAuthentication(runAs);
return new InterceptorStatusToken(authenticated, true, attr, object);
}
............
}
}
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
public void invoke(FilterInvocation fi) throws IOException, ServletException {
if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
&& observeOncePerRequest) {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} else {
if (fi.getRequest() != null) {
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
}
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
}
............
}
public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(mi);
try {
result = mi.proceed();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
public class AspectJSecurityInterceptor extends AbstractSecurityInterceptor {
public Object invoke(JoinPoint jp, AspectJCallback advisorProceed) {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(jp);
try {
result = advisorProceed.proceedWithObject();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
上面的代码片断已经显示,所有的真正参与验证的代码都在父类AbstractSecurityInterceptor.beforeInvocation()之中进行,而对于拦截器都只是做些委托罢了。这样可以把具体的验证代码同拦截器分开,也有利于扩展,用其他的aop技术或拦截器进行扩展,可以很轻松。
认证体系由AuthenticationManager负责,授权体系由AccessDecisionManager负责,RunAsManager 是作为用户身份转换的手段。AfterInvocationManager留下了一个接口,可以扩展默认的授权体系,可以做一些其他额外的工作。
在AbstractSecurityInterceptor.beforeInvocation()中,
首先进行认证,authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
其次进行授权,this.accessDecisionManager.decide(authenticated, object, attr);
AbstractSecurityInterceptor.afterInvocation()中,
做其他扩展,returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
2,认证体系
2.1认证管理器
认证体系的核心为AuthenticationManager,他的方法authenticate(Authentication authentication)负责所有的认证。在acegi中,由具体类ProviderManager来进行认证过程。
Java代码
public interface AuthenticationManager {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
public abstract class AbstractAuthenticationManager
implements AuthenticationManager{
public final Authentication authenticate(Authentication authRequest)
throws AuthenticationException {
try {
Authentication authResult = doAuthentication(authRequest);
copyDetails(authRequest, authResult);
return authResult;
} catch (AuthenticationException e) {
e.setAuthentication(authRequest);
throw e;
}
}
private void copyDetails(Authentication source, Authentication dest) {
if ((dest instanceof AbstractAuthenticationToken) && (dest.getDetails() == null)) {
AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;
token.setDetails(source.getDetails());
}
}
protected abstract Authentication doAuthentication(Authentication authentication)
throws AuthenticationException;
.........
}
public class ProviderManager extends AbstractAuthenticationManager implements InitializingBean,
ApplicationEventPublisherAware, MessageSourceAware {
private List providers;
............
public Authentication doAuthentication(Authentication authentication)
throws AuthenticationException {
.........
Iterator iter = providers.iterator();
............
while (iter.hasNext()) {
.............
AuthenticationProvider provider = (AuthenticationProvider) iter.next();
.........
result = provider.authenticate(authentication);
............
}
............
}
.........
}
public interface AuthenticationManager {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
public abstract class AbstractAuthenticationManager
implements AuthenticationManager{
public final Authentication authenticate(Authentication authRequest)
throws AuthenticationException {
try {
Authentication authResult = doAuthentication(authRequest);
copyDetails(authRequest, authResult);
return authResult;
} catch (AuthenticationException e) {
e.setAuthentication(authRequest);
throw e;
}
}
private void copyDetails(Authentication source, Authentication dest) {
if ((dest instanceof AbstractAuthenticationToken) && (dest.getDetails() == null)) {
AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;
token.setDetails(source.getDetails());
}
}
protected abstract Authentication doAuthentication(Authentication authentication)
throws AuthenticationException;
.........
}
public class ProviderManager extends AbstractAuthenticationManager implements InitializingBean,
ApplicationEventPublisherAware, MessageSourceAware {
private List providers;
............
public Authentication doAuthentication(Authentication authentication)
throws AuthenticationException {
.........
Iterator iter = providers.iterator();
............
while (iter.hasNext()) {
.............
AuthenticationProvider provider = (AuthenticationProvider) iter.next();
.........
result = provider.authenticate(authentication);
............
}
............
}
.........
}
从上面代码片断可以看出,真正的认证过程是在ProviderManager.doAuthentication()中进行的。而ProviderManager并不是具体的认证者,他只是个管理器,它要将具体的认证过程委托给具体的认证器提供者AuthenticationProvider去做。
2.2认证提供者
认证提供者就有很多了,可以提供各种各样的认证。如dao,ldap,anonymous,authbyadapter,cas,jaas,remeberme,remote,runnasimpl,testing,x509等。
Java代码
public interface AuthenticationProvider {
public Authentication authenticate(Authentication authentication) throws AuthenticationException;
public boolean supports(Class authentication);
}
public interface AuthenticationProvider {
public Authentication authenticate(Authentication authentication) throws AuthenticationException;
public boolean supports(Class authentication);
}
具体的认证提供者类就不详细分析了,只提个名字:DaoAuthenticationProvider,LdapAuthenticationProvider,AnonymousAuthenticationProvider,AuthByAdapterProvider,CasAuthenticationProvider,JaasAuthenticationProvider,RememberMeAuthenticationProvider,RemoteAuthenticationProvider,RunAsImplAuthenticationProvider,TestingAuthenticationProvider,X509AuthenticationProvider。
3,授权体系
3.1授权管理器
授权体系的核心为授权管理器(AccessDecisionManager),它的方法decide(Authentication authentication, Object object, ConfigAttributeDefinition config)进行具体的授权动作。
Java代码
public interface AccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException, InsufficientAuthenticationException;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
}
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager, InitializingBean,
MessageSourceAware {
private List decisionVoters;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private boolean allowIfAllAbstainDecisions = false;
public boolean supports(ConfigAttribute attribute) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (voter.supports(attribute)) {
return true;
}
}
return false;
}
public boolean supports(Class clazz) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (!voter.supports(clazz)) {
return false;
}
}
return true;
}
..............
}
public class AffirmativeBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int deny = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
return;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
break;
}
}
if (deny > 0) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class ConsensusBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int grant = 0;
int deny = 0;
int abstain = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
abstain++;
break;
}
}
if (grant > deny) {
return;
}
if (deny > grant) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
if ((grant == deny) && (grant != 0)) {
if (this.allowIfEqualGrantedDeniedDecisions) {
return;
} else {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class UnanimousBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
int grant = 0;
int abstain = 0;
Iterator configIter = config.getConfigAttributes();
while (configIter.hasNext()) {
ConfigAttributeDefinition thisDef = new ConfigAttributeDefinition();
thisDef.addConfigAttribute((ConfigAttribute) configIter.next());
Iterator voters = this.getDecisionVoters().iterator();
while (voters.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) voters.next();
int result = voter.vote(authentication, object, thisDef);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
default:
abstain++;
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public interface AccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException, InsufficientAuthenticationException;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
}
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager, InitializingBean,
MessageSourceAware {
private List decisionVoters;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private boolean allowIfAllAbstainDecisions = false;
public boolean supports(ConfigAttribute attribute) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (voter.supports(attribute)) {
return true;
}
}
return false;
}
public boolean supports(Class clazz) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (!voter.supports(clazz)) {
return false;
}
}
return true;
}
..............
}
public class AffirmativeBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int deny = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
return;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
break;
}
}
if (deny > 0) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class ConsensusBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int grant = 0;
int deny = 0;
int abstain = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
abstain++;
break;
}
}
if (grant > deny) {
return;
}
if (deny > grant) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
if ((grant == deny) && (grant != 0)) {
if (this.allowIfEqualGrantedDeniedDecisions) {
return;
} else {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class UnanimousBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
int grant = 0;
int abstain = 0;
Iterator configIter = config.getConfigAttributes();
while (configIter.hasNext()) {
ConfigAttributeDefinition thisDef = new ConfigAttributeDefinition();
thisDef.addConfigAttribute((ConfigAttribute) configIter.next());
Iterator voters = this.getDecisionVoters().iterator();
while (voters.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) voters.next();
int result = voter.vote(authentication, object, thisDef);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
default:
abstain++;
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
授权管理器AccessDecisionManager默认有三个实现,具体为AffirmativeBased,ConsensusBased,UnanimousBased。三个具体实现都大同小异,主要在具有角色是否应该授权上。
而具体能否单个角色是否授权,是委派给AccessDecisionVoter去做的。
3.2授权投票者
授权投票责的核心是接口AccessDecisionVoter。他有几个具体实现类:BasicAclEntryVoter,AuthenticatedVoter,RoleVoter。
Java代码
public interface AccessDecisionVoter {
public static final int ACCESS_GRANTED = 1;
public static final int ACCESS_ABSTAIN = 0;
public static final int ACCESS_DENIED = -1;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
}
public abstract class AbstractAclVoter implements AccessDecisionVoter {
public boolean supports(Class clazz) {
if (MethodInvocation.class.isAssignableFrom(clazz)) {
return true;
} else if (JoinPoint.class.isAssignableFrom(clazz)) {
return true;
} else {
return false;
}
}
............
}
public class BasicAclEntryVoter extends AbstractAclVoter implements InitializingBean {
private AclManager aclManager;
private String internalMethod;
private String processConfigAttribute;
private int[] requirePermission;
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getProcessConfigAttribute())) {
return true;
} else {
return false;
}
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attr = (ConfigAttribute) iter.next();
if (this.supports(attr)) {
// Need to make an access decision on this invocation
// Attempt to locate the domain object instance to process
Object domainObject = getDomainObjectInstance(object);
// If domain object is null, vote to abstain
if (domainObject == null) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to abstain - domainObject is null");
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
// Evaluate if we are required to use an inner domain object
if ((internalMethod != null) && !"".equals(internalMethod)) {
try {
Class clazz = domainObject.getClass();
Method method = clazz.getMethod(internalMethod, new Class[] {});
domainObject = method.invoke(domainObject, new Object[] {});
} catch (NoSuchMethodException nsme) {
throw new AuthorizationServiceException("Object of class '" + domainObject.getClass()
+ "' does not provide the requested internalMethod: " + internalMethod);
} catch (IllegalAccessException iae) {
if (logger.isDebugEnabled()) {
logger.debug("IllegalAccessException", iae);
if (iae.getCause() != null) {
logger.debug("Cause: " + iae.getCause().getMessage(), iae.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
} catch (InvocationTargetException ite) {
if (logger.isDebugEnabled()) {
logger.debug("InvocationTargetException", ite);
if (ite.getCause() != null) {
logger.debug("Cause: " + ite.getCause().getMessage(), ite.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
}
// Obtain the ACLs applicable to the domain object
AclEntry[] acls = aclManager.getAcls(domainObject, authentication);
// If principal has no permissions for domain object, deny
if ((acls == null) || (acls.length == 0)) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - no ACLs returned for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
// Principal has some permissions for domain object, check them
for (int i = 0; i < acls.length; i++) {
// Locate processable AclEntrys
if (acls[i] instanceof BasicAclEntry) {
BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
// See if principal has any of the required permissions
for (int y = 0; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to grant access");
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}
}
// No permissions match
if (logger.isDebugEnabled()) {
logger.debug(
"Voting to deny access - ACLs returned, but insufficient permissions for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
...............
}
public class AuthenticatedVoter implements AccessDecisionVoter {
public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";
public static final String IS_AUTHENTICATED_REMEMBERED = "IS_AUTHENTICATED_REMEMBERED";
public static final String IS_AUTHENTICATED_ANONYMOUSLY = "IS_AUTHENTICATED_ANONYMOUSLY";
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private boolean isFullyAuthenticated(Authentication authentication) {
return (!authenticationTrustResolver.isAnonymous(authentication)
&& !authenticationTrustResolver.isRememberMe(authentication));
}
public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
Assert.notNull(authenticationTrustResolver, "AuthenticationTrustResolver cannot be set to null");
this.authenticationTrustResolver = authenticationTrustResolver;
}
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null)
&& (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute()))) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
if (isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isRememberMe(authentication)
|| isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
|| authenticationTrustResolver.isRememberMe(authentication)) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public class RoleVoter implements AccessDecisionVoter {
private String rolePrefix = "ROLE_";
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getRolePrefix())) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
for (int i = 0; i < authentication.getAuthorities().length; i++) {
if (attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public interface AccessDecisionVoter {
public static final int ACCESS_GRANTED = 1;
public static final int ACCESS_ABSTAIN = 0;
public static final int ACCESS_DENIED = -1;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
}
public abstract class AbstractAclVoter implements AccessDecisionVoter {
public boolean supports(Class clazz) {
if (MethodInvocation.class.isAssignableFrom(clazz)) {
return true;
} else if (JoinPoint.class.isAssignableFrom(clazz)) {
return true;
} else {
return false;
}
}
............
}
public class BasicAclEntryVoter extends AbstractAclVoter implements InitializingBean {
private AclManager aclManager;
private String internalMethod;
private String processConfigAttribute;
private int[] requirePermission;
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getProcessConfigAttribute())) {
return true;
} else {
return false;
}
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attr = (ConfigAttribute) iter.next();
if (this.supports(attr)) {
// Need to make an access decision on this invocation
// Attempt to locate the domain object instance to process
Object domainObject = getDomainObjectInstance(object);
// If domain object is null, vote to abstain
if (domainObject == null) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to abstain - domainObject is null");
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
// Evaluate if we are required to use an inner domain object
if ((internalMethod != null) && !"".equals(internalMethod)) {
try {
Class clazz = domainObject.getClass();
Method method = clazz.getMethod(internalMethod, new Class[] {});
domainObject = method.invoke(domainObject, new Object[] {});
} catch (NoSuchMethodException nsme) {
throw new AuthorizationServiceException("Object of class '" + domainObject.getClass()
+ "' does not provide the requested internalMethod: " + internalMethod);
} catch (IllegalAccessException iae) {
if (logger.isDebugEnabled()) {
logger.debug("IllegalAccessException", iae);
if (iae.getCause() != null) {
logger.debug("Cause: " + iae.getCause().getMessage(), iae.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
} catch (InvocationTargetException ite) {
if (logger.isDebugEnabled()) {
logger.debug("InvocationTargetException", ite);
if (ite.getCause() != null) {
logger.debug("Cause: " + ite.getCause().getMessage(), ite.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
}
// Obtain the ACLs applicable to the domain object
AclEntry[] acls = aclManager.getAcls(domainObject, authentication);
// If principal has no permissions for domain object, deny
if ((acls == null) || (acls.length == 0)) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - no ACLs returned for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
// Principal has some permissions for domain object, check them
for (int i = 0; i < acls.length; i++) {
// Locate processable AclEntrys
if (acls[i] instanceof BasicAclEntry) {
BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
// See if principal has any of the required permissions
for (int y = 0; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to grant access");
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}
}
// No permissions match
if (logger.isDebugEnabled()) {
logger.debug(
"Voting to deny access - ACLs returned, but insufficient permissions for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
...............
}
public class AuthenticatedVoter implements AccessDecisionVoter {
public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";
public static final String IS_AUTHENTICATED_REMEMBERED = "IS_AUTHENTICATED_REMEMBERED";
public static final String IS_AUTHENTICATED_ANONYMOUSLY = "IS_AUTHENTICATED_ANONYMOUSLY";
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private boolean isFullyAuthenticated(Authentication authentication) {
return (!authenticationTrustResolver.isAnonymous(authentication)
&& !authenticationTrustResolver.isRememberMe(authentication));
}
public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
Assert.notNull(authenticationTrustResolver, "AuthenticationTrustResolver cannot be set to null");
this.authenticationTrustResolver = authenticationTrustResolver;
}
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null)
&& (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute()))) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
if (isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isRememberMe(authentication)
|| isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
|| authenticationTrustResolver.isRememberMe(authentication)) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public class RoleVoter implements AccessDecisionVoter {
private String rolePrefix = "ROLE_";
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getRolePrefix())) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
for (int i = 0; i < authentication.getAuthorities().length; i++) {
if (attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
这三个授权投票实现类中 acl 又最复杂。他会委托给acl管理器(AclManager)来做具体的授权工作。
3.3acl授权体系
AclManager只有一个实现类AclProviderManager ,负责提供acl授权实体。
Java代码
public interface AclManager {
public AclEntry[] getAcls(Object domainInstance);
public AclEntry[] getAcls(Object domainInstance, Authentication authentication);
}
public class AclProviderManager implements AclManager, InitializingBean {
public AclEntry[] getAcls(Object domainInstance) {
Assert.notNull(domainInstance, "domainInstance is null - violating interface contract");
Iterator iter = providers.iterator();
while (iter.hasNext()) {
AclProvider provider = (AclProvider) iter.next();
if (provider.supports(domainInstance)) {
if (logger.isDebugEnabled()) {
logger.debug("ACL lookup using " + provider.getClass().getName());
}
return provider.getAcls(domainInstance);
}
}
if (logger.isDebugEnabled()) {
logger.debug("No AclProvider found for " + domainInstance.toString());
}
return null;
}
public AclEntry[] getAcls(Object domainInstance, Authentication authentication) {
Assert.notNull(domainInstance, "domainInstance is null - violating interface contract");
Assert.notNull(authentication, "authentication is null - violating interface contract");
Iterator iter = providers.iterator();
while (iter.hasNext()) {
AclProvider provider = (AclProvider) iter.next();
if (provider.supports(domainInstance)) {
if (logger.isDebugEnabled()) {
logger.debug("ACL lookup using " + provider.getClass().getName());
}
return provider.getAcls(domainInstance, authentication);
} else {
if (logger.isDebugEnabled()) {
logger.debug("Provider " + provider.toString() + " does not support " + domainInstance);
}
}
}
if (logger.isDebugEnabled()) {
logger.debug("No AclProvider found for " + domainInstance.toString());
}
return null;
}
.........
}
这几天对acegi研究了一下,现对这几天的研究做个总结。
网上资料对于acegi在web上的应用非常多,所以特意不从web入手,而从一般的java方法入手。
acegi的基本原理就是利用拦截器,对请求进行拦截,在拦截前和拦截后做些安全验证,以达到安全目的。所谓安全,一般包括两个部分,一为认证(authentication),二为授权(authorization)。
1,拦截器体系
acegi中拦截器为分为三类:
(1)filter拦截器(FilterSecurityInterceptor),主要对web应用进行拦截,即利用servlet的filter进行拦截。
(2)method拦截器,分为spring的method拦截器(MethodSecurityInterceptor)和aspectj的method拦截器(AspectJSecurityInterceptor)。
Java代码
public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
MessageSourceAware {
private AccessDecisionManager accessDecisionManager;
private AfterInvocationManager afterInvocationManager;
private ApplicationEventPublisher eventPublisher;
private AuthenticationManager authenticationManager;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private RunAsManager runAsManager = new NullRunAsManager();
private boolean alwaysReauthenticate = false;
private boolean rejectPublicInvocations = false;
private boolean validateConfigAttributes = true;
.........
protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
............
SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
............
if (afterInvocationManager != null) {
returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
}
............
}
protected InterceptorStatusToken beforeInvocation(Object object) {
............
authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
............
this.accessDecisionManager.decide(authenticated, object, attr);
............
Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr);
if (runAs == null) {
............
return new InterceptorStatusToken(authenticated, false, attr, object);
} else {
............
SecurityContextHolder.getContext().setAuthentication(runAs);
return new InterceptorStatusToken(authenticated, true, attr, object);
}
............
}
}
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
public void invoke(FilterInvocation fi) throws IOException, ServletException {
if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
&& observeOncePerRequest) {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} else {
if (fi.getRequest() != null) {
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
}
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
}
............
}
public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(mi);
try {
result = mi.proceed();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
public class AspectJSecurityInterceptor extends AbstractSecurityInterceptor {
public Object invoke(JoinPoint jp, AspectJCallback advisorProceed) {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(jp);
try {
result = advisorProceed.proceedWithObject();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
MessageSourceAware {
private AccessDecisionManager accessDecisionManager;
private AfterInvocationManager afterInvocationManager;
private ApplicationEventPublisher eventPublisher;
private AuthenticationManager authenticationManager;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private RunAsManager runAsManager = new NullRunAsManager();
private boolean alwaysReauthenticate = false;
private boolean rejectPublicInvocations = false;
private boolean validateConfigAttributes = true;
.........
protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
............
SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
............
if (afterInvocationManager != null) {
returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
}
............
}
protected InterceptorStatusToken beforeInvocation(Object object) {
............
authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
............
this.accessDecisionManager.decide(authenticated, object, attr);
............
Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr);
if (runAs == null) {
............
return new InterceptorStatusToken(authenticated, false, attr, object);
} else {
............
SecurityContextHolder.getContext().setAuthentication(runAs);
return new InterceptorStatusToken(authenticated, true, attr, object);
}
............
}
}
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
public void invoke(FilterInvocation fi) throws IOException, ServletException {
if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
&& observeOncePerRequest) {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} else {
if (fi.getRequest() != null) {
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
}
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
}
............
}
public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(mi);
try {
result = mi.proceed();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
public class AspectJSecurityInterceptor extends AbstractSecurityInterceptor {
public Object invoke(JoinPoint jp, AspectJCallback advisorProceed) {
Object result = null;
InterceptorStatusToken token = super.beforeInvocation(jp);
try {
result = advisorProceed.proceedWithObject();
} finally {
result = super.afterInvocation(token, result);
}
return result;
}
............
}
上面的代码片断已经显示,所有的真正参与验证的代码都在父类AbstractSecurityInterceptor.beforeInvocation()之中进行,而对于拦截器都只是做些委托罢了。这样可以把具体的验证代码同拦截器分开,也有利于扩展,用其他的aop技术或拦截器进行扩展,可以很轻松。
认证体系由AuthenticationManager负责,授权体系由AccessDecisionManager负责,RunAsManager 是作为用户身份转换的手段。AfterInvocationManager留下了一个接口,可以扩展默认的授权体系,可以做一些其他额外的工作。
在AbstractSecurityInterceptor.beforeInvocation()中,
首先进行认证,authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
其次进行授权,this.accessDecisionManager.decide(authenticated, object, attr);
AbstractSecurityInterceptor.afterInvocation()中,
做其他扩展,returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
2,认证体系
2.1认证管理器
认证体系的核心为AuthenticationManager,他的方法authenticate(Authentication authentication)负责所有的认证。在acegi中,由具体类ProviderManager来进行认证过程。
Java代码
public interface AuthenticationManager {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
public abstract class AbstractAuthenticationManager
implements AuthenticationManager{
public final Authentication authenticate(Authentication authRequest)
throws AuthenticationException {
try {
Authentication authResult = doAuthentication(authRequest);
copyDetails(authRequest, authResult);
return authResult;
} catch (AuthenticationException e) {
e.setAuthentication(authRequest);
throw e;
}
}
private void copyDetails(Authentication source, Authentication dest) {
if ((dest instanceof AbstractAuthenticationToken) && (dest.getDetails() == null)) {
AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;
token.setDetails(source.getDetails());
}
}
protected abstract Authentication doAuthentication(Authentication authentication)
throws AuthenticationException;
.........
}
public class ProviderManager extends AbstractAuthenticationManager implements InitializingBean,
ApplicationEventPublisherAware, MessageSourceAware {
private List providers;
............
public Authentication doAuthentication(Authentication authentication)
throws AuthenticationException {
.........
Iterator iter = providers.iterator();
............
while (iter.hasNext()) {
.............
AuthenticationProvider provider = (AuthenticationProvider) iter.next();
.........
result = provider.authenticate(authentication);
............
}
............
}
.........
}
public interface AuthenticationManager {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
public abstract class AbstractAuthenticationManager
implements AuthenticationManager{
public final Authentication authenticate(Authentication authRequest)
throws AuthenticationException {
try {
Authentication authResult = doAuthentication(authRequest);
copyDetails(authRequest, authResult);
return authResult;
} catch (AuthenticationException e) {
e.setAuthentication(authRequest);
throw e;
}
}
private void copyDetails(Authentication source, Authentication dest) {
if ((dest instanceof AbstractAuthenticationToken) && (dest.getDetails() == null)) {
AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;
token.setDetails(source.getDetails());
}
}
protected abstract Authentication doAuthentication(Authentication authentication)
throws AuthenticationException;
.........
}
public class ProviderManager extends AbstractAuthenticationManager implements InitializingBean,
ApplicationEventPublisherAware, MessageSourceAware {
private List providers;
............
public Authentication doAuthentication(Authentication authentication)
throws AuthenticationException {
.........
Iterator iter = providers.iterator();
............
while (iter.hasNext()) {
.............
AuthenticationProvider provider = (AuthenticationProvider) iter.next();
.........
result = provider.authenticate(authentication);
............
}
............
}
.........
}
从上面代码片断可以看出,真正的认证过程是在ProviderManager.doAuthentication()中进行的。而ProviderManager并不是具体的认证者,他只是个管理器,它要将具体的认证过程委托给具体的认证器提供者AuthenticationProvider去做。
2.2认证提供者
认证提供者就有很多了,可以提供各种各样的认证。如dao,ldap,anonymous,authbyadapter,cas,jaas,remeberme,remote,runnasimpl,testing,x509等。
Java代码
public interface AuthenticationProvider {
public Authentication authenticate(Authentication authentication) throws AuthenticationException;
public boolean supports(Class authentication);
}
public interface AuthenticationProvider {
public Authentication authenticate(Authentication authentication) throws AuthenticationException;
public boolean supports(Class authentication);
}
具体的认证提供者类就不详细分析了,只提个名字:DaoAuthenticationProvider,LdapAuthenticationProvider,AnonymousAuthenticationProvider,AuthByAdapterProvider,CasAuthenticationProvider,JaasAuthenticationProvider,RememberMeAuthenticationProvider,RemoteAuthenticationProvider,RunAsImplAuthenticationProvider,TestingAuthenticationProvider,X509AuthenticationProvider。
3,授权体系
3.1授权管理器
授权体系的核心为授权管理器(AccessDecisionManager),它的方法decide(Authentication authentication, Object object, ConfigAttributeDefinition config)进行具体的授权动作。
Java代码
public interface AccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException, InsufficientAuthenticationException;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
}
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager, InitializingBean,
MessageSourceAware {
private List decisionVoters;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private boolean allowIfAllAbstainDecisions = false;
public boolean supports(ConfigAttribute attribute) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (voter.supports(attribute)) {
return true;
}
}
return false;
}
public boolean supports(Class clazz) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (!voter.supports(clazz)) {
return false;
}
}
return true;
}
..............
}
public class AffirmativeBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int deny = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
return;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
break;
}
}
if (deny > 0) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class ConsensusBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int grant = 0;
int deny = 0;
int abstain = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
abstain++;
break;
}
}
if (grant > deny) {
return;
}
if (deny > grant) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
if ((grant == deny) && (grant != 0)) {
if (this.allowIfEqualGrantedDeniedDecisions) {
return;
} else {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class UnanimousBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
int grant = 0;
int abstain = 0;
Iterator configIter = config.getConfigAttributes();
while (configIter.hasNext()) {
ConfigAttributeDefinition thisDef = new ConfigAttributeDefinition();
thisDef.addConfigAttribute((ConfigAttribute) configIter.next());
Iterator voters = this.getDecisionVoters().iterator();
while (voters.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) voters.next();
int result = voter.vote(authentication, object, thisDef);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
default:
abstain++;
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public interface AccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException, InsufficientAuthenticationException;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
}
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager, InitializingBean,
MessageSourceAware {
private List decisionVoters;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private boolean allowIfAllAbstainDecisions = false;
public boolean supports(ConfigAttribute attribute) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (voter.supports(attribute)) {
return true;
}
}
return false;
}
public boolean supports(Class clazz) {
Iterator iter = this.decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (!voter.supports(clazz)) {
return false;
}
}
return true;
}
..............
}
public class AffirmativeBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int deny = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
return;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
break;
}
}
if (deny > 0) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class ConsensusBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this.getDecisionVoters().iterator();
int grant = 0;
int deny = 0;
int abstain = 0;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
abstain++;
break;
}
}
if (grant > deny) {
return;
}
if (deny > grant) {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
if ((grant == deny) && (grant != 0)) {
if (this.allowIfEqualGrantedDeniedDecisions) {
return;
} else {
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class UnanimousBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
int grant = 0;
int abstain = 0;
Iterator configIter = config.getConfigAttributes();
while (configIter.hasNext()) {
ConfigAttributeDefinition thisDef = new ConfigAttributeDefinition();
thisDef.addConfigAttribute((ConfigAttribute) configIter.next());
Iterator voters = this.getDecisionVoters().iterator();
while (voters.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) voters.next();
int result = voter.vote(authentication, object, thisDef);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
default:
abstain++;
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
授权管理器AccessDecisionManager默认有三个实现,具体为AffirmativeBased,ConsensusBased,UnanimousBased。三个具体实现都大同小异,主要在具有角色是否应该授权上。
而具体能否单个角色是否授权,是委派给AccessDecisionVoter去做的。
3.2授权投票者
授权投票责的核心是接口AccessDecisionVoter。他有几个具体实现类:BasicAclEntryVoter,AuthenticatedVoter,RoleVoter。
Java代码
public interface AccessDecisionVoter {
public static final int ACCESS_GRANTED = 1;
public static final int ACCESS_ABSTAIN = 0;
public static final int ACCESS_DENIED = -1;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
}
public abstract class AbstractAclVoter implements AccessDecisionVoter {
public boolean supports(Class clazz) {
if (MethodInvocation.class.isAssignableFrom(clazz)) {
return true;
} else if (JoinPoint.class.isAssignableFrom(clazz)) {
return true;
} else {
return false;
}
}
............
}
public class BasicAclEntryVoter extends AbstractAclVoter implements InitializingBean {
private AclManager aclManager;
private String internalMethod;
private String processConfigAttribute;
private int[] requirePermission;
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getProcessConfigAttribute())) {
return true;
} else {
return false;
}
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attr = (ConfigAttribute) iter.next();
if (this.supports(attr)) {
// Need to make an access decision on this invocation
// Attempt to locate the domain object instance to process
Object domainObject = getDomainObjectInstance(object);
// If domain object is null, vote to abstain
if (domainObject == null) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to abstain - domainObject is null");
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
// Evaluate if we are required to use an inner domain object
if ((internalMethod != null) && !"".equals(internalMethod)) {
try {
Class clazz = domainObject.getClass();
Method method = clazz.getMethod(internalMethod, new Class[] {});
domainObject = method.invoke(domainObject, new Object[] {});
} catch (NoSuchMethodException nsme) {
throw new AuthorizationServiceException("Object of class '" + domainObject.getClass()
+ "' does not provide the requested internalMethod: " + internalMethod);
} catch (IllegalAccessException iae) {
if (logger.isDebugEnabled()) {
logger.debug("IllegalAccessException", iae);
if (iae.getCause() != null) {
logger.debug("Cause: " + iae.getCause().getMessage(), iae.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
} catch (InvocationTargetException ite) {
if (logger.isDebugEnabled()) {
logger.debug("InvocationTargetException", ite);
if (ite.getCause() != null) {
logger.debug("Cause: " + ite.getCause().getMessage(), ite.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
}
// Obtain the ACLs applicable to the domain object
AclEntry[] acls = aclManager.getAcls(domainObject, authentication);
// If principal has no permissions for domain object, deny
if ((acls == null) || (acls.length == 0)) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - no ACLs returned for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
// Principal has some permissions for domain object, check them
for (int i = 0; i < acls.length; i++) {
// Locate processable AclEntrys
if (acls[i] instanceof BasicAclEntry) {
BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
// See if principal has any of the required permissions
for (int y = 0; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to grant access");
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}
}
// No permissions match
if (logger.isDebugEnabled()) {
logger.debug(
"Voting to deny access - ACLs returned, but insufficient permissions for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
...............
}
public class AuthenticatedVoter implements AccessDecisionVoter {
public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";
public static final String IS_AUTHENTICATED_REMEMBERED = "IS_AUTHENTICATED_REMEMBERED";
public static final String IS_AUTHENTICATED_ANONYMOUSLY = "IS_AUTHENTICATED_ANONYMOUSLY";
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private boolean isFullyAuthenticated(Authentication authentication) {
return (!authenticationTrustResolver.isAnonymous(authentication)
&& !authenticationTrustResolver.isRememberMe(authentication));
}
public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
Assert.notNull(authenticationTrustResolver, "AuthenticationTrustResolver cannot be set to null");
this.authenticationTrustResolver = authenticationTrustResolver;
}
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null)
&& (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute()))) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
if (isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isRememberMe(authentication)
|| isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
|| authenticationTrustResolver.isRememberMe(authentication)) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public class RoleVoter implements AccessDecisionVoter {
private String rolePrefix = "ROLE_";
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getRolePrefix())) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
for (int i = 0; i < authentication.getAuthorities().length; i++) {
if (attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public interface AccessDecisionVoter {
public static final int ACCESS_GRANTED = 1;
public static final int ACCESS_ABSTAIN = 0;
public static final int ACCESS_DENIED = -1;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
}
public abstract class AbstractAclVoter implements AccessDecisionVoter {
public boolean supports(Class clazz) {
if (MethodInvocation.class.isAssignableFrom(clazz)) {
return true;
} else if (JoinPoint.class.isAssignableFrom(clazz)) {
return true;
} else {
return false;
}
}
............
}
public class BasicAclEntryVoter extends AbstractAclVoter implements InitializingBean {
private AclManager aclManager;
private String internalMethod;
private String processConfigAttribute;
private int[] requirePermission;
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getProcessConfigAttribute())) {
return true;
} else {
return false;
}
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attr = (ConfigAttribute) iter.next();
if (this.supports(attr)) {
// Need to make an access decision on this invocation
// Attempt to locate the domain object instance to process
Object domainObject = getDomainObjectInstance(object);
// If domain object is null, vote to abstain
if (domainObject == null) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to abstain - domainObject is null");
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
// Evaluate if we are required to use an inner domain object
if ((internalMethod != null) && !"".equals(internalMethod)) {
try {
Class clazz = domainObject.getClass();
Method method = clazz.getMethod(internalMethod, new Class[] {});
domainObject = method.invoke(domainObject, new Object[] {});
} catch (NoSuchMethodException nsme) {
throw new AuthorizationServiceException("Object of class '" + domainObject.getClass()
+ "' does not provide the requested internalMethod: " + internalMethod);
} catch (IllegalAccessException iae) {
if (logger.isDebugEnabled()) {
logger.debug("IllegalAccessException", iae);
if (iae.getCause() != null) {
logger.debug("Cause: " + iae.getCause().getMessage(), iae.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
} catch (InvocationTargetException ite) {
if (logger.isDebugEnabled()) {
logger.debug("InvocationTargetException", ite);
if (ite.getCause() != null) {
logger.debug("Cause: " + ite.getCause().getMessage(), ite.getCause());
}
}
throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
}
// Obtain the ACLs applicable to the domain object
AclEntry[] acls = aclManager.getAcls(domainObject, authentication);
// If principal has no permissions for domain object, deny
if ((acls == null) || (acls.length == 0)) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - no ACLs returned for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
// Principal has some permissions for domain object, check them
for (int i = 0; i < acls.length; i++) {
// Locate processable AclEntrys
if (acls[i] instanceof BasicAclEntry) {
BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
// See if principal has any of the required permissions
for (int y = 0; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to grant access");
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}
}
// No permissions match
if (logger.isDebugEnabled()) {
logger.debug(
"Voting to deny access - ACLs returned, but insufficient permissions for this principal");
}
return AccessDecisionVoter.ACCESS_DENIED;
}
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
...............
}
public class AuthenticatedVoter implements AccessDecisionVoter {
public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";
public static final String IS_AUTHENTICATED_REMEMBERED = "IS_AUTHENTICATED_REMEMBERED";
public static final String IS_AUTHENTICATED_ANONYMOUSLY = "IS_AUTHENTICATED_ANONYMOUSLY";
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private boolean isFullyAuthenticated(Authentication authentication) {
return (!authenticationTrustResolver.isAnonymous(authentication)
&& !authenticationTrustResolver.isRememberMe(authentication));
}
public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
Assert.notNull(authenticationTrustResolver, "AuthenticationTrustResolver cannot be set to null");
this.authenticationTrustResolver = authenticationTrustResolver;
}
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null)
&& (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute()))) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
if (isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isRememberMe(authentication)
|| isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
|| authenticationTrustResolver.isRememberMe(authentication)) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public class RoleVoter implements AccessDecisionVoter {
private String rolePrefix = "ROLE_";
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) && attribute.getAttribute().startsWith(getRolePrefix())) {
return true;
} else {
return false;
}
}
public boolean supports(Class clazz) {
return true;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
result = ACCESS_DENIED;
for (int i = 0; i < authentication.getAuthorities().length; i++) {
if (attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
这三个授权投票实现类中 acl 又最复杂。他会委托给acl管理器(AclManager)来做具体的授权工作。
3.3acl授权体系
AclManager只有一个实现类AclProviderManager ,负责提供acl授权实体。
Java代码
public interface AclManager {
public AclEntry[] getAcls(Object domainInstance);
public AclEntry[] getAcls(Object domainInstance, Authentication authentication);
}
public class AclProviderManager implements AclManager, InitializingBean {
public AclEntry[] getAcls(Object domainInstance) {
Assert.notNull(domainInstance, "domainInstance is null - violating interface contract");
Iterator iter = providers.iterator();
while (iter.hasNext()) {
AclProvider provider = (AclProvider) iter.next();
if (provider.supports(domainInstance)) {
if (logger.isDebugEnabled()) {
logger.debug("ACL lookup using " + provider.getClass().getName());
}
return provider.getAcls(domainInstance);
}
}
if (logger.isDebugEnabled()) {
logger.debug("No AclProvider found for " + domainInstance.toString());
}
return null;
}
public AclEntry[] getAcls(Object domainInstance, Authentication authentication) {
Assert.notNull(domainInstance, "domainInstance is null - violating interface contract");
Assert.notNull(authentication, "authentication is null - violating interface contract");
Iterator iter = providers.iterator();
while (iter.hasNext()) {
AclProvider provider = (AclProvider) iter.next();
if (provider.supports(domainInstance)) {
if (logger.isDebugEnabled()) {
logger.debug("ACL lookup using " + provider.getClass().getName());
}
return provider.getAcls(domainInstance, authentication);
} else {
if (logger.isDebugEnabled()) {
logger.debug("Provider " + provider.toString() + " does not support " + domainInstance);
}
}
}
if (logger.isDebugEnabled()) {
logger.debug("No AclProvider found for " + domainInstance.toString());
}
return null;
}
.........
}
110
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
